A vulnerability assessment is a methodical examination of network infrastructure, computer systems, and software with the goal of identifying and fixing known security vulnerabilities. Once vulnerabilities are identified, they are ranked according to the importance of fixing/mitigating them as soon as possible. Usually, the vulnerability scanner also provides instructions on how to fix or mitigate discovered flaws.
Security teams can use the results of a vulnerability assessment to better understand their network’s security posture and put protective measures in place.
All of the open source vulnerability assessment tools listed below are free to download and use.
aquatic trivy is an open source tool that detects vulnerabilities and provides an explanation of the risks so that developers can decide which components they want to use in their applications and containers. Trivy has different scanners that look for different security issues and different targets where it can find those issues.
Clear is an open-source project for static vulnerability analysis in application containers (currently including OCI and docker). Customers use the Clair API to index their container images and can then check them against known vulnerabilities.
Tsunami is a general-purpose network security scanner with an extensible plug-in system to detect high-severity vulnerabilities with high confidence. Tsunami is easy to scale, runs fast, and scans non-intrusively.
vaf is a cross-platform web fuzzer with features like: fast threading, HTTP header fuzzing and proxying.
Zed Attack Proxy
Zed Attack Proxy (ZAP) is a free and open-source penetration testing tool maintained under the OWASP umbrella. ZAP is designed specifically for testing web applications and is both flexible and extensible, you can even run it on a raspberry pi.